A few weeks ago, my cousin's machine (Windows XP SP3), using an outdated version of Java, was hit by a rather nasty Virtumonde infection. Tackling this when my schedule allowed, it took a good week for me to finally find out what Virtumonde is (I used to do IT work but moved on years ago) and how to best destroy it. I used HijackThis, AVG, HouseCall, Panda ActiveScan (which left a sour taste in my mouth), Combofix, Spybot, Smitrem (as Spybot told me it found a Smitfraud variant), AntiMalware, AdAware, SDFix, and a bunch of manual deleting of files in safe mode command prompt. Finally got to the point where no infections are found scanning with AVG and Spybot, though HouseCall still finds some sort of "generic" infection that it has no additional info for (and won't remove) and ActiveScan says that there's a "latent" Virtumonde file on my machine, but wants money to remove it. Money I'm not paying.
I should note: before starting any of this I uninstalled Java, and after it all I installed the latest version.
Anywho, a few days ago, my cousin wanted to play Phantasy Star Online Blue Burst. AVG 7.5 (kept up to date) says it's a threat. It's said this before, and given that I've seen other players get this warning online but run the program anyway with no ill effects, I assume it's a false positive (the executable is psobb.exe). Regardless, scanning the file on my own machine with AVG 8, it seems not to see psobb.exe as a threat. So, as a matter of convenience, I have my cousin uninstall AVG 7.5 and install 8.
However, the installation process stops midway, as the installer cannot write a key to HKLM/Software/Microsoft/Windows NT/CurrentVersion/Windows. So I try to view this key and I'm told I don't have permissions. My cousin has two accounts on her machine; hers and the default XP admin account. Both are administrators. I try to view the key on either, and I can't. I can't add to it, modify it, or delete it. At all. I try, with both accounts, to add permissions to each branch leading to that key; I give Full Control to admins, power users, the Everyone account, and add the two machine accounts to the list as well. No luck.
So I do a search online and find that I'm not alone in encountering this issue. I try a tool from AVG meant to completely destroy past installations of its software; no luck after running that.
I tried this, both in normal and safe mode: http://freeforum.avg.com/read.php?12,14970...9709#msg-149709
. No luck.
I tried this, after, again in both modes: http://freeforum.avg.com/read.php?13,160321,162947
. No luck.
I tried another bout of scans with Spybot and HouseCall, and neither finds anything other than HouseCall's cryptic "generic" infection.
One thing I didn't do is run another HijackThis scan, and I'm having my cousin run one and send me the log file. Otherwise, I'm completely out of ideas. Is the machine still infected? Is it something else entirely? Any help would be greatly appreciated and, if my plans to take over the solar system ever do come to fruition, the planet Mercury belongs to whoever can help me.